There’s a wide range of security practices and approaches that can be applied for risk assessment. The three most popular are:
-
Penetration testing
-
Red team testing
-
Risk-based testing
I intend to compare these 3-approaches for your understanding, w.r.t., How does an organisation go about assessing its Information Risk?
Penetration Testing
It simulates an attack on the organization’s cybersecurity systems and applications using a wide range of manual techniques and automated tools. During this process, pentesters determine possible exploits for vulnerabilities and estimate the potential damage they can cause. A pentest may also include vulnerability scanning. The main goal of pentesting is to determine and assess all cybersecurity threats and risks for the organization.
Red Team Testing
It has a lot in common with pentesting. This approach also simulates some attacks on the protected environment, BUT these attacks are more targeted, controlled, and well thought-out.
Instead of exploiting all vulnerabilities, the testing team chooses what type of data they want to gain, which security issues to exploit, and how to simulate the actions of advanced threat actors.
Red teaming may be conducted only by a third-party testing team because the point is to get an external take on security controls. One of the most popular use cases for red team testing is to evaluate security improvements made after penetration testing. But it’s unreasonable to use this type of testing to examine the entire protected environment.
Risk-based testing
It is an approach to security testing that prioritizes activities based on 'discovered' threats and risks. With this approach, testers and security experts agree on potential risks and grade them by the level of impact. Risk-based testing is best to apply when a project has severe time limitations or you need an urgent risk assessment and security improvements.
NOTE:
This is time that you spend some serious time on the table shown here, to compare the effectiveness of these testing approaches in terms of risk assessment.
Out of these three approaches, penetration testing for cyber risk assessment is the most balanced in terms of time consumption, costs, risk coverage, and results. Also, regular pentesting is a requirement of NIST, HIPAA, PCI DSS, GDPR, and other regimes.
Before conducting a penetration test, it’s important to know about the types of pentesting and the basic workflow for this procedure. Right?
Please let me know of what do you think about this post in comment section.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM